[Samba] Authentication issue after updating samba on CentOS 7 (from yum)
Rowland Penny
rpenny at samba.org
Wed Dec 22 17:05:33 UTC 2021
On Wed, 2021-12-22 at 19:34 +0300, Alex wrote:
> Hello Rowland,
>
> Thank you for your prompt reply!
>
> [skip]
>
> > > smb.conf:
> > > [global]
> > > workgroup = DOMAIN
> > > server string = vm-corp
> > > netbios name = VM-CORP
> > > realm = DOMAIN.BIZ
> > > security = ads
> > > template shell = /sbin/nologin
> > So, your users never log into the server directly, just via Samba.
>
> Most users don't. Some of them that are allowed have a shell defined
> in the AD (loginShell attribute).
Sounds reasonable
>
> > > idmap config * : backend = tdb
> > > idmap config * : range = 16777216-33554431
> > Is there some reason for that range ? It will allow you 16777215
> > users
> > & groups for something that requires only about 200.
>
> I think it's a legacy. Don't remember why it's here. I'll try to
> remove it.
You are probably stuck with it.
>
> > > idmap config DOMAIN:backend = ad
> > > idmap config DOMAIN:schema_mode = rfc2307
> > > idmap config DOMAIN:range = 400-999999
> > Again why the strange range, do you have users & groups with
> > uidNumber
> > & gidNumber attributes that low ?
>
> This is also a legacy thing. There're users in the AD with uidNumber
> starting from 400.
Okay, I was just checking, some people think they need a range like
that because they are using the winbind 'ad' backend, but they don't
actually add any RFC2307 attributes to AD.
>
> > > idmap config DOMAIN:unix_primary_group = yes
> > Do your users have gidNumber attributes.
>
> Yes, they do. This came from MS Services for Unix.
Have you actually checked, MS-SFU didn't add a gidNumber attribute to
users, unless you told it to.
>
> > > idmap config DOMAIN:unix_nss_info = yes
> > This is interesting, you only need that if your users have a
> > unixHomeDirectory attribute (at least), yet you are not using
> > '[homes]'
> > below.
>
> Yes, they do have unixHomeDirectory attribute.
>
> > > winbind use default domain = true
> > > winbind offline logon = false
> > > winbind enum users = Yes
> > > winbind enum groups = Yes
> > You do not need the 'enum' lines, it works without them.
>
> There was an issue w/o the enum lines. Unfortunately, I don't
> remember exactly what it was, probably couldn't retrieve groups from
> the AD with "getent group" command.
Adding those lines would not fix such a problem, either it would work
or it wouldn't. All those lines do is to get 'getent user' to display
all users and 'getent group' to display all groups, along with slowing
everything down.
>
> > > [username]
> > > comment = username's home
> > > path = /home/username
> > > read only = No
> > > create mode = 0660
> > > valid users = username
> > As noted above, why are you not using '[homes]' ?
>
> It's b/c most users are prohibited from using this server. So, I
> allowed homes on this server for just a few of them directly.
So does that mean you have multiple '[username]' shares in smb.conf ?
>
> > > I tried to create the username_map_script.sh and add the
> > > following
> > > lines (as mentioned in
> > > https://bugzilla.samba.org/show_bug.cgi?id=14901):
> > > min domain uid = 500
> > Try changing the '500' to '0'
> > > username map script = /etc/samba/username_map_script.sh
> > Change that to:
> > username map script = /etc/samba/user.map
> > Create /etc/samba/user.map containing:
> > !root = DOMAIN\Administrator
>
> Assuming you meant "username map = /etc/samba/user.map" here.
Yes, I did, sorry for the mistake
> I did that both (changed min uid to 0 and set a user.map file) -
> still can't log in :(
This is very strange, I am using Samba 4.15.3 with this smb.conf and I
can log in:
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba Client %h
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
disable netbios = yes
dns proxy = no
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
template shell = /bin/bash
template homedir = /home/%U
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = Yes
# Comment the following 4 lines to act as a print server
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
# logging
log file = /var/log/samba/%m.log
logging = file
log level = auth_audit:3@/var/log/samba/auth.log
auth_json_audit:4@/var/log/samba/json/auth.log
min domain uid = 0
Rowland
More information about the samba
mailing list